Connect with us

Hi, what are you looking for?



BlackEnergy, KillDisk Infect Ukrainian Mining, Railway Systems

Researchers at security firm Trend Micro have found evidence suggesting that pieces of malware involved in the recent attacks against Ukraine’s energy sector have been used to target other types of organizations as well.

Researchers at security firm Trend Micro have found evidence suggesting that pieces of malware involved in the recent attacks against Ukraine’s energy sector have been used to target other types of organizations as well.

The Russia-linked BlackEnergy malware, known to target SCADA systems in Europe and the United States, and KillDisk, a plugin designed to destroy files and make systems inoperable, were spotted last year in attacks aimed at Ukraine’s energy sector. Ukrainian authorities accused Russia of being behind the attacks that resulted in significant power outages.

An analysis of the campaign revealed that while BlackEnergy and KillDisk had been found on the targeted systems, the malware was likely not directly responsible for the outages.

Trend Micro reported on Thursday that its researchers spotted BlackEnergy and KillDisk samples on the systems of a Ukrainian mining company and a major railway operator. Experts believe these attacks were conducted by the same threat actor that targeted the country’s power companies.

In the case of the infections at the Ukrainian mining company, experts uncovered several samples whose name and functionality was similar to the samples spotted in the power utility attacks. The malware, used in November and December 2015, communicated with some of the same command and control (C&C) servers observed in the energy attacks.

The security firm noticed that the systems of the same mining company were also infected with multiple variants of KillDisk. The samples don’t match the ones used in the energy attacks exactly, but they do exhibit the same functionality.

Trend Micro also spotted KillDisk infections on the systems of a Ukrainian railway company that is part of the country’s national railway system. The KillDisk sample found by researchers matched one used in the electric utility attacks.

Advertisement. Scroll to continue reading.

“This appears to be the only spillover from the Ukrainian power utility infection. However, we have no proof showing that BlackEnergy was present on the railway systems, it could be assumed that it was likely present somewhere in their network,” Trend Micro senior threat researcher, Kyle Wilhoit, said in a blog post.

Based on the similarities between the samples, naming conventions, infrastructure overlaps, and the timing of the attacks, experts believe the same threat actor targeted all of these Ukrainian organizations, and they have several theories about the attacker’s goals.

“One is that the attackers may have wanted to destabilize Ukraine through a massive or persistent disruption involving power, mining, and transportation facilities,” Wilhoit said. “Another possibility is that they have deployed the malware to different critical infrastructure systems to determine which one is the easiest to infiltrate and subsequently wrestle control over. A related theory is that the infections in the mining and train companies may have just been preliminary infections, where the attackers are just attempting to test the code base.”

The United States is concerned that attacks like the one aimed at Ukraine’s energy sector could be launched against its own critical infrastructure. While the US government has so far refrained from officially pointing the finger at Russia for the Ukraine cyberattacks, CNN reported on Thursday that Elizabeth Sherwood-Randall, Deputy Secretary at the Department of Energy, told a gathering of power grid industry execs that Russia is behind the attacks.

Robert M. Lee, founder and CEO of Dragos Security, told SecurityWeek last month that while attacks like the ones in Ukraine could be launched against European countries and the United States, they would likely result in less significant damage.

Related: Attackers Use Word Docs to Deliver BlackEnergy Malware

Related: Ukraine Accuses Russia of Cyber Attack on Kiev Airport

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


On the first anniversary of Russia’s invasion of Ukraine, cybersecurity companies summarize the cyber operations they have seen and their impact.


Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.


Ask any three people to define cyberwar and you will get three different answers. But as global geopolitics worsen and aggressive cyberattacks increase, this...


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...